PingIntelligence Health Check Guide
This section of the PingIntelligence Monitoring Guide provides administrators with a list of commands that can be used to perform health checks on different PingIntelligence components.
There are multiple methods explained for each component. You can automate the steps or use them in manual mode. The document also captures information on log files, process ID (PID) details, and port details of the API Security Enforcer (ASE) nodes, the API Behavioral Security (ABS) artificial intelligence (AI) engine, and the PingIntelligence Dashboard.
For more information, click the tab for the respective PingIntelligence components:
-
ASE
-
ABS AI Engine
-
PingIntelligence Dashboard
Performing health checks on ASE
About this task
You can use the following options to conduct a health check on ASE nodes:
Steps
-
To enable the ASE health check URL in the
/pingidentity/ase/config/ase.conffile, set theenable_ase_healthconfig property totrue.The default value of
enable_ase_healthisfalse.-
If the configuration is modified on a running ASE node, restart the node after modifying the configuration.
For more information, see Starting and stopping ASE.
-
In a clustered ASE environment, stop the ASE cluster and update the
ase.conffile of the primary node and restart the other ASE nodes.For more information, see Restarting an ASE cluster.
-
When the
enable_ase_healthis set totrue, go to the following URLs and do a health check:-
http://<ase-hostname/ip>:<http_port>/ase
-
https://<ase-hostname/ip>:<https_port>/ase
-
If ASE is receiving the traffic, the response is
200 OK. -
-
To check the status of an ASE process, the running status of HTTP or HTTPS process, and port number, run the
statuscommand-line interface (CLI) command.$./bin/cli.sh statusshellThis command also gives basic configuration information.
-
To show the status of communication between ABS and all the ASE nodes in a cluster, run the following command:
$ ./bin/cli.sh -u admin -p admin abs_infoshellThe
abs_infocommand shows the last log upload and attack fetch information from ABS. If ASE is having any issues in uploading logs to ABS or connecting to ABS, it is reported in the output of the command. -
If ASE is running as a
systemctlservice, use the following command to check the status of the service:$ systemctl status pi-ase.serviceshell
Performing health checks on the ABS AI engine
About this task
Use the following options to conduct a health check on the ABS AI engine:
Steps
-
To check the ABS Admin API, use the ABS Admin REST API either from the Postman Collection or use the
curlcommand:$ curl -k -X GET 'https://<ABS Hostname>/IP:8080/v4/abs/admin' -H 'x-abs-ak: <ABS access key>' -H 'x-abs-sk: <ABS ssecret key>'shell -
If the ABS AI engine is running as a
systemctlservice, use the following command to check the status of the service:$ systemctl status pi-abs.serviceshell -
To check the ABS log for job failures, use the following command:
$ grep allocated logs/abs/abs.log | grep failureshellTroubleshooting:
If any failures are detected, reach out to the Ping Identity Support team.
-
Check the ABS log for MongoDB heartbeats in the
/logs/abs/abs.logfile, which reports the status of MongoDB heartbeats at regular intervals.This file indicates any ABS to MongoDB connectivity issues.
Performing health checks on the PingIntelligence Dashboard
About this task
Use the following commands to check the health status of the PingIntelligence Dashboard and its components:
Steps
-
To check the health status of the Dashboard data engine:
-
Run the
statuscommand to check the status of the Dashboard process:$ ./bin/cli.sh statusshell
It returns the status as
RunningorNot Running.-
If the Dashboard data engine is running as a
systemctlservice, use the following command to check the status of the service:$ systemctl status pi-data-engineshell -
To check the Dashboard log file for errors or exceptions, verify the
/pingidentity/dataengine/logs/admin/dataengine.logfile to detect connectivity issues between the Dashboard data engine and ABS or Elasticsearch:$ tail logs/admin/dataengine.logshell
-
-
To check the health status of the WebGUI:
-
To check if the WebGUI component is running, use the following health check URL in a browser or the curl command.
Choose from:
-
The browser URL: https://<WebGUI Hostname/IP>:<port>/status
-
The curl command:
$ curl -k -o /dev/null -s -w "%{http_code}\n" https://<webgui>:8030/status 200shell
-
A
200 OKresponse results if the component is running.-
To show the status of the WebGUI process, run the
statuscommand:$ ./bin/cli.sh statusshell -
If the WebGUI is running as a
systemctlservice, use the following command to check the status of the service:$ systemctl status pi-webgui.serviceshell -
To check the WebGUI admin log file for errors or exceptions, verify the
/pingidentity/webgui/admin/logs/ admin.logfile to detect the connectivity issues between WebGUI and ABS or Elasticsearch:$ tail logs/admin/admin.logshell
-
-
To check the health status of Elasticsearch:
-
To check the health status of Elasticsearch using a health check URL:
Choose from:
-
Using anonymous access:
-
To enable access for anonymous user, add the following line to the
elasticsearch.yaml:xpack.security.authc.anonymous.roles: monitoring_user
You can update this during initial setup or later.
-
If you are making the change on a running instance, restart Elasticsearch.
-
After updating the
elasticsearch.yaml, to check the status of Elasticsearch, go to https://<Elasticsearch Hostname/IP>:9200/.You can use a browser or the following curl command:
+
$ curl -k -o /dev/null -s -w "%{http_code}\n" https://<Elasticsearch Hostname/IP>:9200/shell
-
A
200 OKresponse indicates a running Elasticsearch.-
Using a health check user:
This approach does not require an Elasticsearch restart.
-
To add a health check user to Elasticsearch, run the following command:
curl -u elastic:<elastic user password> -k -X POST "https://localhost:9200/_xpack/security/user/<health_check_user>?pretty" -H 'Content-Type: application/json' -d' { "password" : "<password for health_check_user>", "roles": ["monitoring_user"] } 'shell -
After adding the health check user, to check the status of Elasticsearch, go to https://<health_check_user>:<password>@<Elastcisearch hostname/IP>:9200/.
You can use a browser or the following curl command:
+
$ curl -k -o /dev/null -s -w "%{http_code}\n" https://<health_check_user>:<password>@<Elastcisearch hostname/IP>:9200/shell
-
-
A
200 OKresponse indicates a running Elasticsearch.-
Using Elasticsearch username and password:
-
To query the health status of Elasticsearch using the elastic user and its password to see a more comprehensive output, which also reports the state of the cluster, run the following curl command:
$ curl -XGET -k -H 'content-type: application/json; charset=UTF-8' -u "elastic:<password>" 'https://<elasticsearch hostname/IP>:9200/_cluster/health?pretty'shell-
To check the health status of Elasticsearch when it is running as a
systemctlservice, run the following command:$ systemctl status pi-elasticsearch.serviceshell -
To check the Elasticsearch log for errors or exceptions, verify the Elasticsearch log for any exceptions or errors by running the following command:
$ tail logs/elasticsearch.logshell
-
-
-
-
To check the health status of Kibana:
-
To check the health status of Kibana using a health check URL:
Choose from:
-
Using anonymous access:
-
To enable access, add the following line to the
kibana.yaml:status.allowAnonymous: true
You can update this during initial setup or later.
-
If you are making the change on a running instance, restart Kibana.
-
After updating the
kibana.yaml, to check the status, go to https://<Kibana Hostname/IP>:5601/pi/ui/dataengine/api/status.You can use a browser or the following curl command:
+
$ curl -k -o /dev/null -s -w "%{http_code}\n" https://<Kibana Hostname/IP>:5601/pi/ui/dataengine/api/statusshell
-
A
200 OKresponse indicates a running Kibana instance.-
Using health check user:
-
To add a health check user to Kibana, run the following command:
curl -u elastic:<elastic user password> -k -X POST "https://localhost:9200/_xpack/security/user/<health_check_user>?pretty" -H 'Content-Type: application/json' -d' { "password" : "<password for health_check_user>", "roles": ["monitoring_user"] } 'shell -
After adding the health check user, to check the status of Kibana, go to https://<health_check_user>:<password>@<Kibana hostname/IP>:5601/pi/ui/dataengine/api/status.
You can use a browser or the following curl command:
+
$ curl -k -o /dev/null -s -w "%{http_code}\n"https://<health_check_user>:<password>@<Kibana hostname/IP>:5601/pi/ui/dataengine/api/statusshell
-
-
A
200 OKresponse indicates a running Kibana.-
To check the health status of Kibana when it is running as a
systemctlservice, run the following command to check the status of the service:$ systemctl status pi-kibana.serviceshell -
To check Kibana log for errors or exceptions, verify the Kibana log for any exceptions or errors by running the following command:
$ tail logs/kibana.logshell
-
Logs, port numbers, and process IDs
Review this supplementary information on log file details, important port numbers, and process ID (PID) information of PingIntelligence for APIs components.
Log files
The following table shows the main log files of PingIntelligence components.
| ASE | ABS AI Engine | PingIntelligence PingIntelligenceDashboard | ||
|---|---|---|---|---|
|
|
Port numbers
The following table shows important port numbers used by PingIntelligence components.
| ASE | ABS AI Engine | PingIntelligence PingIntelligenceDashboard |
|---|---|---|
|
PID information
All PingIntelligence components have their respective PID files. Refer to these files for monitoring or for getting the PID information of the processes.
| ASE | ABS AI Engine | PingIntelligence PingIntelligenceDashboard |
|---|---|---|
The ASE PID file contains the PID for the controller process and the HTTP balancer and HTTPS balancer processes: |
The |
There are separate PID files for the different components of the PingIntelligence Dashboard:
|